Security questionnaire — answered.

Do you publish a security whitepaper or trust center?

Yes — /legal/trust + /legal/security.

Do you hold an independent third-party audit report (SOC 2, ISO 27001)?

SOC 2 Type I scheduled end of month 3; Type II to follow with 6-month observation window. ISO 27001 planned year 2 if EU pipeline warrants.

Will you allow customers to audit your systems?

Enterprise customers may audit once per calendar year under the DPA — 45 days' notice, NDA, business hours, at customer expense.

Do you have a documented information-security policy framework?

15 policies drafted (InfoSec, Access Control, IR, BC/DR, Change Mgmt, etc.); executive sign-off pending.

Does your application run secure development lifecycle (SDLC) practices?

PR review + CI typecheck + smoke test + secret scanning + static analysis on every change. Threat-modelling on security-sensitive features.

Are APIs authenticated?

Firebase Auth + App Check (reCAPTCHA Enterprise) on every call from the browser. Server-to-server via short-lived tokens.

Do you test for common web vulnerabilities (OWASP Top 10) before each release?

Dependency scanning (pnpm audit + Dependabot), static analysis (TypeScript strict + ESLint), planned annual external pen test.

Do you have a documented BC/DR plan?

RTO 4 hours / RPO 24 hours for region failure. Daily Firestore export to a second region; semi-annual restore drill.

Do you test your BC/DR plan?

Semi-annual test-restore into an isolated project; evidence preserved for SOC 2.

Do you publish a status page?

status.sutrace.io — hosted off our primary infrastructure so it stays visible during our own outages.

Are changes reviewed before release?

Every change lands via PR. Typecheck + smoke test + reviewer approval in CI before merge.

Is production access segregated from development?

No SSH into prod; no long-lived keys; production console access is just-in-time, time-boxed, logged.

Is customer data encrypted at rest?

AES-256 with Google-managed keys by default; CMEK on Scale plan via Cloud KMS.

Is customer data encrypted in transit?

TLS 1.3 edge-to-Firestore. HSTS preloaded. mTLS for anything crossing a workspace boundary.

Is customer data logically segregated from other customers?

Firestore security rules enforce per-workspace isolation on every read and write; no shared mutable state.

Can customers choose data-residency region?

EU workspaces → europe-west3 (Frankfurt). US workspaces → us-central1 (Iowa). Self-hosted on customer infra on Scale.

Do you process personal data under a GDPR-compliant DPA?

Yes — /legal/dpa. Includes 2021 SCCs M2+M3 + UK IDTA Addendum + Swiss overlay + CCPA service-provider clauses.

Do you offer a list of subprocessors?

/legal/subprocessors — 4 subprocessors, regions, transfer mechanisms, 30-day notice + change log.

Can customer data be deleted on request?

Self-serve workspace deletion. All data removed from production + backups within 30 days. Email privacy@ for a machine-readable export first.

Are cryptographic keys managed in a dedicated system?

Google Cloud KMS. Customer-provided keys (CMEK) available on Scale.

Are deprecated algorithms blocked?

TLS 1.2+ enforced at edge; cipher suites match Cloudflare + GCP defaults, which exclude RC4, 3DES, CBC-only.

Do you maintain a risk register?

Living register with likelihood × impact × treatment × owner. Annual full assessment; quarterly refresh.

Do you have a designated DPO or equivalent?

Engaging an outsourced DPO (DataGuard / Proliance / Heuking tier). Interim contact: privacy@sutrace.io.

Who is your lead supervisory authority under GDPR?

BfDI (Germany) — infrastructure in europe-west3 Frankfurt.

Do employees undergo security training?

Security onboarding at hire + annual refresher. Evidence kept for SOC 2.

Are background checks performed?

Where permitted by local law.

Are access rights removed on employee departure?

Within 4 hours: SSO, GitHub, Firebase, mailboxes. Documented in Access Control policy.

Is multi-factor authentication enforced?

MFA enforced at the IdP for all human access. Customer-side MFA is available via Firebase Auth and strongly recommended.

Is SSO supported?

Google SSO for employees. Enterprise customer SSO (SAML/OIDC) on Business plan+.

Is least-privilege enforced?

Read-only by default; write access on demand; admin access restricted to 4 allowlisted engineers; production access just-in-time.

Are privileged accounts reviewed periodically?

Quarterly access review snapshots, signed off by engineering lead.

Do you use a major cloud provider?

Google Cloud (Firebase). Edge network: Cloudflare.

Are hosts and containers patched automatically?

Serverless stack — no self-managed hosts. GCP handles patching below the Firestore / Cloud Storage layer.

Do you log security-relevant events?

Auth events (30 days), admin-plane actions (indefinite, git-logged), Firestore rw counts (30 days), Cloudflare edge logs (30 days).

Are logs monitored for anomalies?

On-call engineer reviews weekly; automated alerts on cross-workspace anomalies.

Do you have a documented incident response plan?

Yes — 15 policies include an IR policy with severity tiers and customer-notification timelines.

Within what window will you notify customers of a breach?

72 hours from confirmation for personal-data breaches per the DPA. Faster for P1 incidents via the status page.

Do you publish a bug-bounty program?

Private disclosure via security@sutrace.io — 24h ack, safe-harbor for good-faith researchers. Public HackerOne program planned after SOC 2 Type II.

Do you maintain a current subprocessor list and notify customers of changes?

/legal/subprocessors + email to billing contact 30 days before any change.

Are subprocessor changes subject to customer objection?

Customer may object; if unresolved, either party may terminate the affected service without penalty.

Do you run vulnerability scanning?

Dependabot + pnpm audit on every PR. Critical + high CVEs block merge.

Do you perform annual penetration testing?

First external pen test scheduled for month 3 (Cure53 / NCC / Doyensec short-list). Then annual cadence.

What are your patch SLAs?

Critical = 7 days · High = 30 days · Medium = 90 days · Low = 180 days. Measured from CVE disclosure.